Home / malware

PDF

Trojan.Downloader.JS.NN

First posted on 21 November 2011.
Source: BitDefender

Aliases :

There are no other names known for Trojan.Downloader.JS.NN.

Explanation :

This malicious JavaScript may come bundled inside a PDF document.

When an infected PDF is opened, the JavaScript will get executed and will perform the following actions:

The first step involves decrypting the rest of the script, responsible for spraying the shell-code at a specific address, inside the attacked process.
It will then place several NOP (No OPeration) instructions at the begging of the code, in order to avoid receiving execution at an invalid address.
The exploit code (~450 B) will first decrypt its encrypted body, locate several API functions it needs and then it will download a file from http://netcorb[removed]/load.php, saving it under the name "~.exe", in the current folder. After a successful download, it will launch the file. The downloaded executable may be subject to change, and at the time of writing, the link was dead.

The detection name stands for the infected PDF file and infected JavaScripts.

Last update 21 November 2011

 

TOP